cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1819
Views
0
Helpful
8
Replies

2 distribution switches to 1 ASA

mrjdh
Level 1
Level 1

Hello,

 

I've built a reasonable large topology in GNS3 to show use of a variety of layer 2 and 3 technologies, with just a touch of ASA or enough to demonstrate ASA basics and setup of a site-to-site VPN. As a result and most importantly because I can't really afford any more CPU cycles(!), I have a single ASA connecting my layer 2 block to the edge router running BGP.

 

SingleASA_2Distro.png

 

Is there a way in which I can connect the ASA to the two distribution switches running HSRP for two VLANs? As I say, I just don't want to undo my hard work and time by pushing GNS any more.

 

I've read a few responses to a similar question whereby a simple switch between the distros and ASA is the solution, presumably keeping things layer 2 between the new switch and the distribution switches?

 

How can I achieve this and also ensure that traffic will be returned to the current HSRP active device?

 

Thanks in advance.

 

Many thanks.

1 Accepted Solution

Accepted Solutions

For this scenario it doesn't matter if you have one ASA or two in HA. In most cases I would just ignore this "problem" when both switches are directly colocated and have a direct link (typically a channel) between each other. It's just one switched hop more than the optimal path. Or you have to build your distribution as a VSS/VPC or stack. There you can use EtherChannels to both devices.

View solution in original post

8 Replies 8

You can configure a redundant interface on the ASA and add one member-interface connecting to SW1 and one member-interface connecting to SW2. The redundant interface also can have sub interfaces for all your needed VLANs. But as ASA and the Switch don't share any information which switch is HSRP-active, you could have a non-optimal traffic flow. 

Thanks Karsten. Is there any way around the no-knowledge of the active switch? What would you do in this scenario, keeping only the 1 ASA?

For this scenario it doesn't matter if you have one ASA or two in HA. In most cases I would just ignore this "problem" when both switches are directly colocated and have a direct link (typically a channel) between each other. It's just one switched hop more than the optimal path. Or you have to build your distribution as a VSS/VPC or stack. There you can use EtherChannels to both devices.

That's great - thanks for another reply Karsten, much appreciated. I love this community!

You are welcome!

bhargavdesai
Spotlight
Spotlight
You may be working on resilient network design.

You may refer this
https://www.802101.com/cisco-asa-failover-redundant-interfaces-catalyst-hsrp-and-power/amp/

Unfortunately emulator GNS3/EVE-NG with ASAv does not support redundant interface as i know.
And i want to know the status for the IPSEC VPN issue which you posted earlier.


HTH

Hi bhargavdesi,
Thank you for the reply - I haven't forgotten about your VPN reply, I'm going to be testing it in the next couple of hours!

Thank and do let me know if you need further help on that.
And i hope the link will give you good ideas about latest query

HTH
Review Cisco Networking for a $25 gift card